private static void OnResultProvided(object sender, ScanResultArgs <AutoTweakableResult> e)
{
if (CheckForManager())
{
ITweakable tweakble = e.result.tweakble;
Manager.RegisterTweakable(tweakble);
e.result.autoTweakable.tweakable = tweakble;
e.result.autoTweakable.UniqueId = e.result.uniqueId;
}
}
private void CustomSerializerFound(object sender, ScanResultArgs <CustomSerializerResult> e)
{
CustomTypeSerializer customTypeSerializer = Activator.CreateInstance(e.result.type, this) as CustomTypeSerializer;
customSerializers.Add(customTypeSerializer.CustomType, customTypeSerializer);
}
static void Main(string[] args)
{
// Output some information about the program running
Console.Title = "Berzerk Malware Scanner - Test Client - http://JordanHook.com";
// Output version of tester
Console.WriteLine("Berzerk Malware Scanner Test Client 1.0");
// Scan a folder based on the args
if (args.Length == 0)
{
Console.WriteLine("No scan directory specified...");
return;
}
// Declare some variables for the scan
string ScanDirectory = args[0];
// Our controllers...
SignatureController Signatures = new SignatureController("sigs.sdb");
// Load the library setting defaults (we will add a settings controller later...)
BerzerkAPI.Settings.Defaults();
//Set max file size to 5mb to testing purposes..
BerzerkAPI.Settings.MaxFileSize = (1024 * 1024) * 5;
// Try to load the signatures
if (Signatures.LoadDatabase())
{
Console.WriteLine("Signature database was loaded with {0} entries", Signatures.Signatures.Count);
}
else
{
// If the signatures can't be loaded... we can't scan for anything
Console.WriteLine("Unable to load signature database...");
return;
}
// Output current task
Console.WriteLine("\nGathering files to scan...");
// Now that our controllers have been loaded... we can attempt to start scanning files
Queue <string> ScanList = BerzerkAPI.IO.File.CreateFileQueue(ScanDirectory, true);
// Output current task
Console.WriteLine("\nScanning {0} files...", ScanList.Count);
// Loop through each file in the list
//foreach (string file in ScanList)
//{
// try
// {
// // Run a scan on the file
// Signature scan = BerzerkAPI.IO.File.ScanFile(file, Signatures, Cached);
// // Check if there is a threat detected
// if (scan != null)
// {
// // Output the detection type and file location
// Console.WriteLine("\nDETECTED {0}:\n{1}", scan.Definition, file);
// }
// }
// catch (Exception)
// {
// // We were unable to access the current file due to permission issues or it being in use...
// }
//}
// Multi threaded scan
List <Thread> ScanThreads = new List <Thread>();
int totalFiles = ScanList.Count();
// Run an extra thread to display some information about the scan...
new Thread(() =>
{
// While the scan is still running
while (ScanList.Count > 0)
{
Thread.Sleep(5000);
Console.WriteLine("{0} Files left to scan...", ScanList.Count);
Console.WriteLine("{0} Scanning threads running...", ScanThreads.Count());
Console.WriteLine("{0} Files have been scanned...", totalFiles - ScanList.Count());
// Garbage collect call since our scans use a lot of resources
GC.Collect();
}
}).Start();
// While there are files left to scan...
while (true)
{
// If there are no scans running and no files left to scan
// Exit the infinite loop
if (ScanThreads.Count() == 0 && ScanList.Count == 0)
{
break;
}
// Find a dead thread...
var dead = ScanThreads.FirstOrDefault(th => th.ThreadState == ThreadState.Stopped);
// While there are more dead threads
while (dead != null)
{
// Remove them
ScanThreads.Remove(dead);
// Find more?
dead = ScanThreads.FirstOrDefault(th => th.ThreadState == ThreadState.Stopped);
}
// Ensure 1 thread per processor core
while (ScanThreads.Count() < Environment.ProcessorCount)
{
// Don't start a new thread if the scan list is empty.. we just need to wait for the rest of the scans to finish...
if (ScanList.Count == 0)
{
break;
}
// Create a new thead
Thread t = new Thread(() =>
{
try
{
// Get the next file
string current = ScanList.Dequeue();
// Scan the current file
//Signature scan = BerzerkAPI.IO.File.ScanFile(current, ref Signatures, ref Cached);
ScanResultArgs result = BerzerkAPI.IO.File.ScanFile(current, Signatures);
// Check the results
if (result.Detection != null)
{
Console.WriteLine("\nDETECTED {0}:\n{1}", result.Detection.Definition, current);
}
}
catch (Exception)
{
// We were unable to access the current file due to permission issues or it being in use...
}
});
// Add the scan thread to the list
ScanThreads.Add(t);
// Run the thread
t.IsBackground = true;
t.Start();
}
// Pause while we wait for a scan to finish...
Thread.Sleep(10);
}
// All scans completed, give a delay before outputting finished results incase a detection is still being outputted..
Thread.Sleep(1500);
// EOP...
Console.WriteLine("\n\n\nScan complete, press any key to exit...");
Console.ReadKey();
}
private void OnObjectFound(object sender, ScanResultArgs <T> e)
{
RegisterObject(e.result);
}
private void OnWatchableScanned(object sender, ScanResultArgs <IWatchable> e)
{
scannedObjects.Add(e.result);
}
private void OnTweakableScanned(object sender, ScanResultArgs <ITweakable> e)
{
scannedObjects.Add(e.result);
}
public void Run()
{
// Create master thread to manage running threads
Thread t = new Thread(() =>
{
// Create local copies of databases to work with
SignatureController localSignatures = this.Signatures;
TargetProcess = Process.ProcessQueue();
bool loadProcess = false;
//MaxThreads = 1;
//MaxThreads /=2;
// While we are not canceling the whole scan...
while (!Cancel)
{
while (Pause)
{
Thread.Sleep(500);
// exit
if (Cancel == true)
{
// exit
return;
}
}
//detmine number of threads to use when scanning
if (Settings.ReducePriority)
{
this.MaxThreads = Environment.ProcessorCount / 2;
}
else
{
this.MaxThreads = Environment.ProcessorCount;
}
// If all scans have finished and there is nothing left to scan...
if (RunningThreads == 0 && TargetFiles.Count() == 0 && TargetProcess.Count() == 0)
{
// All files have been scanned... time to implement a process scanner....
// Attempt to raise event for scan complete
// Raise the event
ThreatScanComplete?.Invoke(this);
// And then exit the loop
break;
}
else if (TargetFiles.Count() == 0 && !loadProcess)
{
loadProcess = true;
// Get a queue of new process...
TargetProcess = Process.ProcessQueue();
}
else
{
// Check for existing dead threads in the thread list
//var dead = ScannerThreads.FirstOrDefault(th => th.ThreadState == ThreadState.Stopped);
// // while there are dead threads to remove...
// while (dead != null && !Cancel)
// {
// // Remove dead thread
// ScannerThreads.Remove(dead);
// // Check for more
// dead = ScannerThreads.FirstOrDefault(th => th.ThreadState == ThreadState.Stopped);
// }
if (ScannerThreads.Count > 0)
{
for (int i = 0; i < ScannerThreads.Count; i++)
{
//if(ScannerThreads[i].ThreadState == ThreadState.Stopped)
ScannerThreads[i].Join();
ScannerThreads.Remove(ScannerThreads[i]);
}
}
// Clean garbage left behind by scans...
GC.Collect();
// All target files were scanned... start a process scanning...
if (TargetFiles.Count == 0)
{
// Loop through the process queue time..
while (RunningThreads < MaxThreads && TargetProcess.Count > 0 && !Cancel)
{
// Get next process
var target = TargetProcess.Dequeue();
// Create a scanner for it..
Thread scan = new Thread(() =>
{
try
{
// Check white list against process before scanning it
if (Settings.WhiteList.Contains(NativeMethods.GetExecutablePath(target)))
{
return;
}
// Heuristically analyze file first
var heur = BerzerkAPI.IO.Heuristic.Analyze(API.NativeMethods.GetExecutablePath(target));
if (heur != null)
{
ThreatDetectedArgs args = new Controllers.ThreatDetectedArgs()
{
Detection = heur, FilePath = API.NativeMethods.GetExecutablePath(target)
};
ThreatDetected?.Invoke(this, args);
}
else
{
// create a scan of the process
Signature res = Process.ScanProcess(target, ref localSignatures);
// Scan the file and get results
//Signature result = BerzerkAPI.IO.File.ScanFile(target, ref localSignatures, ref localCache);
ScanResultArgs result = BerzerkAPI.IO.File.ScanFile(NativeMethods.GetExecutablePath(target), localSignatures);
// accumulate the total scanned data in MB
ScannedData += (result.Size / 1024) / 1024;
// Check results
if (result.Detection != null)
{
// Attempt to raise detection event
// Create event args
ThreatDetectedArgs args = new ThreatDetectedArgs()
{
Detection = result.Detection, FilePath = NativeMethods.GetExecutablePath(target)
};
// Raise event ?
ThreatDetected?.Invoke(this, args);
}
} // end of heuristic else
// Try to scan the process
//var result = BerzerkAPI.IO.Process.ScanProcess(target, ref localSignatures);
//// If a threat was found in the process
//if(result != null)
//{
// ThreatDetectedArgs args = new Controllers.ThreatDetectedArgs()
// {
// Detection = result,
// FilePath = NativeMethods.GetExecutablePath(target)
// };
// ThreatDetected?.Invoke(this, args);
//}
}
catch (Exception ex)
{
#if DEBUG
Console.WriteLine(ex.Message);
#endif
}
//ScannerThreads.Remove(Thread.CurrentThread);
});
// Add thread to list
ScannerThreads.Add(scan);
// Run thread in bg
scan.IsBackground = true;
scan.SetApartmentState(ApartmentState.MTA);
// Run the scan
scan.Start();
// scan.Join();
}
}
// Now that we have freed space in the thread list, we need to create new threads
// Loop while there is room left for more threads
// And while there are files left to scan
while (RunningThreads < MaxThreads && TargetFiles.Count > 0 && !Cancel)
{
// Get the next scannable file
string target = TargetFiles.Dequeue();
// Create new scan thrad for the next file
Thread scan = new Thread(() =>
{
try
{
// Scan the file and get results
//Signature result = BerzerkAPI.IO.File.ScanFile(target, ref localSignatures, ref localCache);
ScanResultArgs result = BerzerkAPI.IO.File.ScanFile(target, localSignatures);
// accumulate the total scanned data in MB
ScannedData += (result.Size / 1024) / 1024;
// Check results
if (result.Detection != null)
{
// Attempt to raise detection event
// Create event args
ThreatDetectedArgs args = new ThreatDetectedArgs()
{
Detection = result.Detection, FilePath = target
};
// Raise event ?
ThreatDetected?.Invoke(this, args);
}
// Sleep thread before ending it to provide some timeout for the cpu
//Thread.Sleep(20);
}
catch (Exception ex) // debugging purposes
{
// something went wrong...
#if DEBUG
Console.WriteLine(ex.Message);
#endif
}
//ScannerThreads.Remove(Thread.CurrentThread);
});
// Add thread to list
ScannerThreads.Add(scan);
// Run thread in bg
scan.IsBackground = true;
scan.SetApartmentState(ApartmentState.MTA);
// Run the scan
scan.Start();
//scan.Join();
}
}
}
});
// Set the thread to run in the bg and run it
t.IsBackground = true;
t.Start();
}
